Privateness authorities in Canada and the UK have launched a joint investigation to evaluate the scope of delicate buyer data uncovered in final yr’s 23andMe data breach.
The Privateness Commissioner of Canada and The Info Commissioner’s Workplace (ICO) may even look into whether or not the corporate had enough safeguards to safe buyer knowledge saved on its methods.
The joint investigation may even study if 23andMe alerted affected people and the privateness regulators as required by Canadian and UK privateness and knowledge safety legal guidelines.
“Within the mistaken fingers, a person’s genetic data may very well be misused for surveillance or discrimination. Making certain that private data is sufficiently protected in opposition to assaults by malicious actors is a vital focus for privateness authorities in Canada and around the globe,” mentioned Privateness Commissioner of Canada Philippe Dufresne.
“Individuals have to belief that any group dealing with their most delicate private data has the suitable security and safeguards in place,” UK Info Commissioner John Edwards added.
“This data breach had a global influence, and we sit up for collaborating with our Canadian counterparts to make sure the non-public data of individuals within the UK is protected.”
23andMe accounts breached in credential-stuffing assault
In January, Genetic testing supplier 23andMe confirmed that the attackers stole well being stories and uncooked genotype knowledge of affected prospects in a five-month credential-stuffing assault from April 29 to September 27.
The attackers used credentials stolen from different data breaches or compromised on-line platforms to breach 23andMe accounts.
Upon detecting the assault on October 10, 23andMe began requiring all prospects to reset their passwords. Since November 6, two-factor authentication has been enabled by default for all new and present prospects.
The corporate disclosed in data breach notification letters despatched to impacted people that some stolen knowledge was posted on the BreachForums hacking discussion board and the unofficial 23andMe subreddit.
The leaked data included the information of 4.1 million folks residing in the UK and 1 million Ashkenazi Jews.
23andMe advised BleepingComputer in December that the menace actors downloaded knowledge for six.9 million out of 14 million prospects after breaching round 14,000 consumer accounts.
Roughly 5.5 million people had their knowledge scraped via the DNA Relations function and 1.4 million by way of the Household Tree function.
As a result of incident, a number of lawsuits have been filed in opposition to 23andMe, prompting the corporate to replace its Phrases of Use on November 30 to make it tougher for purchasers to affix class motion lawsuits.
Nonetheless, 23andMe acknowledged that the adjustments have been made to make the arbitration course of extra environment friendly and extra accessible for purchasers to grasp.
